Detecting Malicious Software Through Process Dump Scanning

1. A system for detecting malicious software on a computer executing a process, comprising: a computer-readable storage medium storing executable computer program modules comprising: a signature module adapted to hold signatures identifying malicious software; a memory dump module adapted to create a memory dump containing an executable file image based on the process; a signature scanning module adapted to determine whether the memory dump includes a signature held by the signature module; and a reporting module adapted to report an outcome of the determination to an end-user of the computer; and a processor for executing the computer program modules.

2. The system of claim 1 , further comprising: a server interface module adapted to interact with a security server via a network; and wherein the reporting module is in communication with the server interface module and further adapted to provide the memory dump to the security server.

3. The system of claim 1 , wherein the process executes in an address space and wherein the memory dump module is further adapted to: determine a memory region in the process's address space containing the executable file image; and create the memory dump responsive to the determined memory region.

4. The system of claim 1 , wherein the computer is executing an operating system and wherein the memory dump module is further adapted to: query the operating system for information describing a memory range containing the executable file image; and determine whether the information describing the memory range is suspicious.

5. The system of claim 4 , wherein the process executes in an address space and wherein the memory dump module is further adapted to: analyze the process's address space to determine the memory range containing the executable file image responsive to a determination that the information describing the memory range is suspicious.

6. The system of claim 1 , wherein the memory dump module is further adapted to: alter the memory dump to make it resemble an executable file.

7. A method for detecting malicious software on a computer executing a process in an address space, comprising: determining a memory range in the address space of the process containing an executable file image; creating a memory dump of the executable file image; determining whether the memory dump includes a signature identifying malicious software; and reporting an outcome of the determination to an end-user of the computer.

8. The method of claim 7 , further comprising: providing the memory dump to a security server for subsequent analysis.

9. The method of claim 7 , wherein the computer is executing an operating system and wherein determining a memory range comprises: querying the operating system for information describing the memory range containing the executable file image; and determining whether the information describing the memory range is suspicious.

10. The method of claim 9 , further comprising: analyzing the process's address space to determine the memory range containing the executable file image responsive to a determination that the information describing the memory range is suspicious.

11. The method of claim 7 , wherein creating a memory dump further comprises: altering the memory dump to make it resemble an executable file.

12. The method of claim 7 , wherein creating a memory dump further comprises creating the memory dump at a random time period after the process begins executing.

13. The method of claim 7 , wherein creating a memory dump further comprises creating the memory dump at a predetermined time period after the process begins executing.

14. The method of claim 7 , wherein creating a memory dump further comprises creating the memory dump responsive to an action performed by the process.

15. A computer program product having a computer-readable medium having computer program code embodied therein for detecting malicious software on a computer executing a process, the computer program code comprising: a signature module adapted to hold signatures identifying malicious software; a memory dump module adapted to create a memory dump containing an executable file image based on the process; a signature scanning module adapted to determine whether the memory dump includes a signature held by the signature module; and a reporting module adapted to report an outcome of the determination to an end-user of the computer.

16. The computer program product of claim 15 , further comprising: a server interface module adapted to interact with a security server via a network; and wherein the reporting module is in communication with the server interface module and further adapted to provide the memory dump to the security server.

17. The computer program product of claim 15 , wherein the process executes in an address space and wherein the memory dump module is further adapted to: determine a memory region in the process's address space containing the executable file image; and create the memory dump responsive to the determined memory region.

18. The computer program product of claim 15 , wherein the computer is adapted to execute an operating system and wherein the memory dump module is further adapted to: query the operating system for information describing a memory range containing the executable file image; and determine whether the information describing the memory range is suspicious.

19. The computer program product of claim 18 , wherein the process executes in an address space and wherein the memory dump module is further adapted to: analyze the process's address space to determine the memory range containing the executable file image responsive to a determination that the information describing the memory range is suspicious.

20. The computer program product of claim 15 , wherein the memory dump module is further adapted to: alter the memory dump to make it resemble an executable file.